PCI DSS Compliance for Spreadsheets

Print Version

The Payment Card Industry (PCI) Data Security Standard (PCI DSS) requires merchants, banks and data processors to “protect stored cardholder data”. PCI DSS is enforced by the major payment card brands who established the PCI DSS, namely American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

For companies impacted by PCI DSS they will naturally focus on their core systems to ensure that cardholder data is only stored where absolutely necessary and, if stored, that it is appropriately protected against unauthorised access and potential data leakage.

However, companies must also look beyond their core systems to ensure that such sensitive data does not exist in vulnerable end user computing applications such as spreadsheets.

Following a successful project with a UK retail bank ClusterSeven offers a targeted scanning facility to detect relevant cardholder data within spreadsheets. The key tests are as follows:

Data Storage RulesData Type Description Cluster Seven

Storage permitted if protected

Primary Account Number (PAN)

14-19 digit lengths in multiple structures (e.g. xxxx-xxxx-xxxx-xxxx)

Storage permitted if protected

PAN with Luhn check

Validate suspected card data using Luhn algorithm

Storage permitted if protected

Card scheme identifiers

Detect Card Scheme identifiers (e.g. Maestro: 5108, 5020, 5038, 6304, 6759, 6761, 6762, 6763)

Storage not permitted

Security code values

Detect Security code values where they are associated with card data (CVC2, CVV2)

Storage not permitted

Sensitive Authentication Data (SAD)

Track 1/Track 2 (Chip/Magnetic stripe), PIN block

The use of these tests is fully flexible. They may be combined with the full ClusterSeven suite of out-of-the-box risk checks (which exceeds 60 additional checks), extended using your own additional rules or run as a separate, on-demand, risk profile for the areas of concern within your business. In addition the tests can be run by users on demand through your intranet or applied in bulk to complete file server locations.

Print Version

“PCI DSS represents a minimum set of control objectives which may be enhanced by local, regional and sector laws and regulations. Additionally, legislation or regulatory requirements may require specific protection of personally identifiable information or other data elements. ”

Payment Card Industry (PCI) Data Security Standard: Requirements and Security Assessment Procedures V2.0 October 2010